Cybercriminals are holding schools ransom for billions and some are paying up

A new report highlights the financial costs of school ransomware, days lost to downtime and the number of students impacted, as these incidents become a steady source of criminal income.

college.jpg

Image: GettyImages/Jacob Ammentorp Lund

In recent months, a slew of cyberattacks hamstrung domestic meat and petroleum production and also set off a few alarms at a Florida water treatment facility. With companies willing to shell out big bucks to bring their companies back online and risk further fallout, it's becoming increasingly clear that no sector is off-limits, this includes education as students return to the classroom. On Tuesday, Comparitech released new research highlighting the financial costs of school ransomware, days lost to downtime and more as cybercriminals set their sights on education organizations.

"Many schools cannot operate without their computer systems, and some schools have had to cancel classes due to ransomware attacks," said Paul Bischoff, privacy advocate at Comparitech. "Resolving a ransomware attack without paying the ransom takes about two weeks on average, which is far too long for kids to be out of school. So ransomware creates urgency that makes schools more likely to pay up."

SEE: Security incident response policy (TechRepublic Premium)

Cyberattacks and ransomware payouts

Overall, the findings detail shifting cybersecurity trends across the education landscape. While total attacks on education centers appear to be on the decline, at the same time, these attacks are impacting a greater number of students with many more schools potentially impacted.

According to the findings, there were 77 ransomware attacks involving schools and colleges in 2020, representing a 20% decrease compared to 2019, yet, more than 1,740 of these institutions were "potentially affected;" a 39% increase from the year prior. More than 1.3 million students "could have been impacted" by these attacks in 2020, representing a 67% increase compared to 2019.

These cyberattack patterns have shifted markedly in the last few years. For example, there were 10 reported ransomware attacks in 2018, compared to 96 in 2019 and 77 in 2020, according to the report. However, as Bischoff points out in the report, this year-over-year dropoff "appears to have been in favor of larger, more targeted attacks on bigger school districts with higher budgets and larger numbers of students." So, why are cybercriminals choosing to focus on schools and where are these systems particularly vulnerable?

"Schools are often strapped for cash and therefore can't afford to invest a lot of resources into hiring qualified IT staff, keeping those staff trained, paying for audits or penetration tests, and buying up-to-date hardware and software," Bischoff said.

Additionally, he explained that schools often have online portals for student access and these platforms "serve as public-facing attack vectors and can, in turn, be targeted by remote hackers."

"A lot of staff at schools work on computers regularly but aren't IT experts, which creates more opportunities for hackers due to operational security missteps," Bischoff continued.

Education ransomware totals across the U.S.

In 2020, Texas topped the list, as the Lone Star State accounted for 13% of all U.S. ransomware attacks followed by No. 2 California (9%), according to the report; in terms of students affected, Nevada ranked No. 1 with 328,991 students impacted in 2020. As Bischoff explains, Nevada is home to the Clark County School District, one of the largest school districts in the U.S.

"As the county didn't pay the requested ransom, the hackers (Maze) dumped student records. The data breach report filed says 44,139 students were thought to have been affected by this aspect of the attack. The county and its staff and students also faced ongoing system disruptions in the month that followed," said Bischoff.

In order, Maryland and Virginia ranked second and third with 10.5% and 8.8% of their students impacted, respectively.

Hackers targeting schools: Payouts and downtime

So, how much are these attacks costing school systems? The short answer: The picture isn't fully clear. As Bischoff points out in the report, "only a handful of providers publicly release" these data as these organizations "understandably" do not want to "discuss ransom amounts or whether they have paid these as it may incentivize further attacks." That said, the report said the estimated cost of these education sector ransomware attacks is valued at $6.62 billion in 2020 with hackers receiving "at least" $1.9 million in payouts.

Following an attack, schools spend an average of 55.4 days recovering and lose almost a full week (nearly 7 days) to "downtime," according to the report. Based on available data, Biscoff postulates that ransomware attacks could have resulted in "201 days of downtime and 1,108 days of recovery time in 2020."

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

From January 2018 through June 2021, schools and universities suffered 222 attacks, resulting in 1,387 days of estimated downtime with a cost of more than $17.3 billion, according to the report, although this sum does not include the 9,525 days spent recovering and these "potential recovery" costs.

"Despite the rise of ransomware's prominence in the news, the number of ransomware attacks against schools actually decreased from 2019 to 2020," Biscoff said. "However, ransom demands and the number of students impacted by ransomware attacks have continued to grow. I'll be interested to see how these trends play out post-pandemic, as lockdowns and the shift toward remote learning certainly had a role to play."

Also see